The present invention relates to cyber security, and more specifically, to detecting beaconing behavior using time rescaling and aggregation, followed by an analysis in the frequency domain.
Sophisticated cyber security threats, for example advanced persistent threats (APTs), employ strategies to infect end points within a security perimeter and instruct these machines (e.g., by means of a malware process) to issue regular callback traffic, hereinafter referred to as “beaconing”, to a machine outside the perimeter of an organization (e.g., the Internet) controlled by an attacker. Other well-known cases employing beaconing traffic are botnet command and control infrastructures, where bots use such techniques to announce themselves and establish stealthy communication channels in order to receive instructions from the botnet master. In general, beaconing traffic can be characterized as regular (periodic) traffic (e.g., network connections, network packets) to a destination point. It is also noted that beaconing traffic is not necessarily generated by a malware process since beaconing traffic also occurs for benign, desirable network operations, such as occurs when a safe application sends out update requests.
Existing solutions to detect beaconing behavior include pattern matching, statistical techniques and trending, grouping and rate-based thresholds, and finite state machines. Pattern-matching-based approaches search for predetermined periodic patterns (e.g., one connection every 10 seconds in the network traffic). Methods based on statistical techniques, trending, grouping, and rate-based threshold first group related connections together, extract statistical features such as mean and standard deviation of connection intervals, and determine the existence of beaconing behavior if the features or rates are over certain pre-defined thresholds. Other solutions implement finite state machines to find periodic events where there are more than a certain number of flows between two IP addresses at a regular interval.
The drawbacks of existing solutions include a large memory footprint (e.g., requiring a state-machine for every source/destination pair). Another drawback is that they are limited to a short analysis time window (e.g., in the order of minutes or hours). Further, existing solutions assume strictly regular, consecutive, and periodic beaconing behavior, which is often not the case in real-world network traffic.
In reality, intervals are not strictly periodic, as endpoints dynamically join and leave the network, endpoints restart, gaps or noises exist in the observation, and/or malware may change its beaconing behavior. In addition, some malware employ multiple periodicities, such as short intervals (e.g., seconds) for contact establishment, followed by intervals of remaining dormant for a longer period of time (e.g., hours or days).